Merge pull request #391 from mailcow/clamav-path
Add ClamAV Docs section with Additional databases
Dieser Commit ist enthalten in:
Commit
b4b783a012
9 geänderte Dateien mit 210 neuen und 69 gelöschten Zeilen
|
@ -88,6 +88,7 @@ Jeder Container repräsentiert eine einzelne Anwendung.
|
|||
|
||||
**Docker-Volumes** zur Aufbewahrung dynamischer Daten - kĂĽmmern Sie sich um sie!
|
||||
|
||||
- clamd-db-vol-1
|
||||
- crypt-vol-1
|
||||
- mysql-socket-vol-1
|
||||
- mysql-vol-1
|
||||
|
|
|
@ -88,6 +88,7 @@ Each container represents a single application.
|
|||
|
||||
**Docker volumes** to keep dynamic data - take care of them!
|
||||
|
||||
- clamd-db-vol-1
|
||||
- crypt-vol-1
|
||||
- mysql-socket-vol-1
|
||||
- mysql-vol-1
|
||||
|
@ -98,4 +99,4 @@ Each container represents a single application.
|
|||
- sogo-web-vol-1
|
||||
- solr-vol-1
|
||||
- vmail-index-vol-1
|
||||
- vmail-vol-1
|
||||
- vmail-vol-1
|
||||
|
|
68
docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.de.md
Normale Datei
68
docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.de.md
Normale Datei
|
@ -0,0 +1,68 @@
|
|||
## Weitere Datenbanken fĂĽr ClamAV
|
||||
|
||||
Die Standard ClamAV Datenbanken haben keine hohe Trefferquote, können aber durch kostenlose und kostenpflichtige Datenbanken erweitert werden.
|
||||
|
||||
### Liste von bekannten (kostenfreien) Datenbanken | Stand April 2022
|
||||
|
||||
- [SecurityInfo](https://www.securiteinfo.com/) - kostenlose ClamAV DBs fĂĽr Testzwecke. Registrierung der IP Adresse des Servers erforderlich (dann nutzbar fĂĽr besagte IP).
|
||||
- [InterServer](http://rbluri.interserver.net/) - kostenlose ClamAV DBs. FĂĽr E-Mail Zwecke eher ungeeignet.
|
||||
|
||||
### SecuriteInfo Datenbank aktivieren
|
||||
|
||||
1. Kostenfreien Account auf https://www.securiteinfo.com/clients/customers/signup erstellen.
|
||||
2. Sie erhalten eine E-Mail um Ihren Account zu aktivieren gefolgt von einer E-Mail mit Ihrem Login Namen.
|
||||
3. Loggen Sie sich ein und navigieren Sie zu ihrem Account https://www.securiteinfo.com/clients/customers/account
|
||||
4. Klicken Sie auf den 'Setup' Reiter.
|
||||
5. Sie brauchen `your_id` von den Downloadlinks. **Diese sind pro User individuell**.
|
||||
7. FĂĽgen Sie diese wie folgt in die `data/conf/clamav/freshclam.conf` ein und ersetzen Sie den `your_id` Teil mit Ihrer ID:
|
||||
```
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.hdb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.ign2
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/javascript.ndb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/spam_marketing.ndb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfohtml.hdb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfoascii.hdb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfopdf.hdb
|
||||
```
|
||||
|
||||
8. Passen Sie `data/conf/clamav/clamd.conf` mit den folgenden Einstellungen an:
|
||||
```
|
||||
DetectPUA yes
|
||||
ExcludePUA PUA.Win.Packer
|
||||
ExcludePUA PUA.Win.Trojan.Packed
|
||||
ExcludePUA PUA.Win.Trojan.Molebox
|
||||
ExcludePUA PUA.Win.Packer.Upx
|
||||
ExcludePUA PUA.Doc.Packed
|
||||
MaxScanSize 150M
|
||||
MaxFileSize 100M
|
||||
MaxRecursion 40
|
||||
MaxEmbeddedPE 100M
|
||||
MaxHTMLNormalize 50M
|
||||
MaxScriptNormalize 50M
|
||||
MaxZipTypeRcg 50M
|
||||
```
|
||||
9. Starten Sie den ClamAV Container neu:
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
||||
|
||||
**Bitte beachten Sie**:
|
||||
|
||||
- Sie können `ExcludePUA` und `IncludePUA` in der `clamd.conf` nicht gleichzeitig nutzen! Kommentieren Sie bitte `IncludePUA` aus, sollte es nicht auskommentiert sein.
|
||||
- Die Liste der Datenbanken genutzt in diesem Beispiel sollten für die meisten Fälle passen. SecuriteInfo bietet jedoch noch andere Datenbanken an. Bitte schauen Sie sich das SecuriteInfo FAQ für weitere Informationen an.
|
||||
- Mit den neu eingestellten Datenbanken (und den Standard Datenbanken) ClamAV verbraucht ClamAV etwa 1,3 GB RAM des Servers.
|
||||
- Sollten Sie `message_size_limit` in Postfix verändert haben müssen Sie die `MaxSize` Einstellung in ClamAV auf den selben Wert eintragen.
|
||||
|
||||
### InterServer Datenbanken aktivieren
|
||||
|
||||
1. FĂĽgen Sie folgendes in `data/conf/clamav/freshclam.conf` ein:
|
||||
```
|
||||
DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb
|
||||
DatabaseCustomURL http://sigs.interserver.net/interservertopline.db
|
||||
DatabaseCustomURL http://sigs.interserver.net/shell.ldb
|
||||
DatabaseCustomURL http://sigs.interserver.net/whitelist.fp
|
||||
```
|
||||
2. Starten Sie den ClamAV Container neu:
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
68
docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.en.md
Normale Datei
68
docs/manual-guides/ClamAV/u_e-clamav-additional_dbs.en.md
Normale Datei
|
@ -0,0 +1,68 @@
|
|||
## Additional Databases for ClamAV
|
||||
|
||||
Default ClamAV databases has not great detection level, but it could be enhanced with free or paid signature databases.
|
||||
|
||||
### List of known free databases | As of April 2022
|
||||
|
||||
- [SecurityInfo](https://www.securiteinfo.com/) - free ClamAV DBs for testing purposes, required registration after which you can use them from 1 IP
|
||||
- [InterServer](http://rbluri.interserver.net/) - free to use ClamAV DBs, but they do not fit well for email scanning
|
||||
|
||||
### Enable SecuriteInfo databases
|
||||
|
||||
1. Sign up for a free account at https://www.securiteinfo.com/clients/customers/signup
|
||||
2. You will receive an email to activate your account and then a follow-up email with your login name
|
||||
3. Login and navigate to your customer account: https://www.securiteinfo.com/clients/customers/account
|
||||
4. Click on the Setup tab
|
||||
5. You will need to get `your_id` from one of the download links, they are individual for every user
|
||||
7. Add to `data/conf/clamav/freshclam.conf` with replaced `your_id` part:
|
||||
```
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.hdb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfo.ign2
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/javascript.ndb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/spam_marketing.ndb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfohtml.hdb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfoascii.hdb
|
||||
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/your_id/securiteinfopdf.hdb
|
||||
```
|
||||
|
||||
8. Adjust `data/conf/clamav/clamd.conf` to align with next settings:
|
||||
```
|
||||
DetectPUA yes
|
||||
ExcludePUA PUA.Win.Packer
|
||||
ExcludePUA PUA.Win.Trojan.Packed
|
||||
ExcludePUA PUA.Win.Trojan.Molebox
|
||||
ExcludePUA PUA.Win.Packer.Upx
|
||||
ExcludePUA PUA.Doc.Packed
|
||||
MaxScanSize 150M
|
||||
MaxFileSize 100M
|
||||
MaxRecursion 40
|
||||
MaxEmbeddedPE 100M
|
||||
MaxHTMLNormalize 50M
|
||||
MaxScriptNormalize 50M
|
||||
MaxZipTypeRcg 50M
|
||||
```
|
||||
9. Restart ClamAV container:
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
||||
|
||||
Please note:
|
||||
|
||||
- You can't use `ExcludePUA` and `IncludePUA` in `clamd.conf` simultaneously, so please comment any `IncludePUA` if you uncommented them before.
|
||||
- List of databases provided in this example fit most use-cases, but SecuriteInfo also provides other databases. Please check SecuriteInfo FAQ for additional information.
|
||||
- With the current DB set (including default DBs) ClamAV will consume about 1.3Gb of RAM on your server.
|
||||
- If you modified `message_size_limit` in Postfix you need to adapt `MaxSize` settings in ClamAV as well.
|
||||
|
||||
### Enable InterServer databases
|
||||
|
||||
1. Add to `data/conf/clamav/freshclam.conf`:
|
||||
```
|
||||
DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb
|
||||
DatabaseCustomURL http://sigs.interserver.net/interservertopline.db
|
||||
DatabaseCustomURL http://sigs.interserver.net/shell.ldb
|
||||
DatabaseCustomURL http://sigs.interserver.net/whitelist.fp
|
||||
```
|
||||
2. Restart ClamAV container:
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
33
docs/manual-guides/ClamAV/u_e-clamav-whitelist.de.md
Normale Datei
33
docs/manual-guides/ClamAV/u_e-clamav-whitelist.de.md
Normale Datei
|
@ -0,0 +1,33 @@
|
|||
## Whitelist fĂĽr bestimmte ClamAV-Signaturen
|
||||
|
||||
Es kann vorkommen, dass legitime (saubere) Mails von ClamAV blockiert werden (Rspamd markiert die Mail mit `VIRUS_FOUND`). So werden beispielsweise interaktive PDF-Formularanhänge standardmäßig blockiert, da der eingebettete Javascript-Code für schädliche Zwecke verwendet werden könnte. Überprüfen Sie dies anhand der clamd-Protokolle, z.B.:
|
||||
|
||||
```bash
|
||||
docker-compose logs clamd-mailcow | grep "FOUND"
|
||||
```
|
||||
|
||||
Diese Zeile bestätigt, dass ein solcher identifiziert wurde:
|
||||
|
||||
```text
|
||||
clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND
|
||||
```
|
||||
|
||||
Um diese spezielle Signatur auf die Whitelist zu setzen (und den Versand dieses Dateityps im Anhang zu ermöglichen), fügen Sie sie der ClamAV-Signatur-Whitelist-Datei hinzu:
|
||||
|
||||
```bash
|
||||
echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2
|
||||
```
|
||||
|
||||
Dann starten Sie den clamd-mailcow Service Container in der mailcow UI oder mit docker-compose neu:
|
||||
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
||||
|
||||
Bereinigen Sie zwischengespeicherte ClamAV-Ergebnisse in Redis:
|
||||
|
||||
```
|
||||
# docker-compose exec redis-mailcow /bin/sh
|
||||
/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL
|
||||
/data # exit
|
||||
```
|
33
docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md
Normale Datei
33
docs/manual-guides/ClamAV/u_e-clamav-whitelist.en.md
Normale Datei
|
@ -0,0 +1,33 @@
|
|||
## Whitelist specific ClamAV signatures
|
||||
|
||||
You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with `VIRUS_FOUND`). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.:
|
||||
|
||||
```bash
|
||||
docker-compose logs clamd-mailcow | grep "FOUND"
|
||||
```
|
||||
|
||||
This line confirms that such was identified:
|
||||
|
||||
```text
|
||||
clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND
|
||||
```
|
||||
|
||||
To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file:
|
||||
|
||||
```bash
|
||||
echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2
|
||||
```
|
||||
|
||||
Then restart the clamd-mailcow service container in the mailcow UI or using docker-compose:
|
||||
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
||||
|
||||
Cleanup cached ClamAV results in Redis:
|
||||
|
||||
```
|
||||
# docker-compose exec redis-mailcow /bin/sh
|
||||
/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL
|
||||
/data # exit
|
||||
```
|
|
@ -148,40 +148,6 @@ GLOBAL_RCPT_BL {
|
|||
|
||||
3. Speichern Sie die Datei und starten Sie Rspamd neu: `docker-compose restart rspamd-mailcow`.
|
||||
|
||||
## Whitelist fĂĽr bestimmte ClamAV-Signaturen
|
||||
|
||||
Es kann vorkommen, dass legitime (saubere) Mails von ClamAV blockiert werden (Rspamd markiert die Mail mit `VIRUS_FOUND`). So werden beispielsweise interaktive PDF-Formularanhänge standardmäßig blockiert, da der eingebettete Javascript-Code für schädliche Zwecke verwendet werden könnte. Überprüfen Sie dies anhand der clamd-Protokolle, z.B.:
|
||||
|
||||
```bash
|
||||
docker-compose logs clamd-mailcow | grep "FOUND"
|
||||
```
|
||||
|
||||
Diese Zeile bestätigt, dass ein solcher identifiziert wurde:
|
||||
|
||||
```text
|
||||
clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND
|
||||
```
|
||||
|
||||
Um diese spezielle Signatur auf die Whitelist zu setzen (und den Versand dieses Dateityps im Anhang zu ermöglichen), fügen Sie sie der ClamAV-Signatur-Whitelist-Datei hinzu:
|
||||
|
||||
```bash
|
||||
echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2
|
||||
```
|
||||
|
||||
Dann starten Sie den clamd-mailcow Service Container in der mailcow UI oder mit docker-compose neu:
|
||||
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
||||
|
||||
Bereinigen Sie zwischengespeicherte ClamAV-Ergebnisse in Redis:
|
||||
|
||||
```
|
||||
# docker-compose exec redis-mailcow /bin/sh
|
||||
/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL
|
||||
/data # exit
|
||||
```
|
||||
|
||||
## Verwerfen statt zurĂĽckweisen
|
||||
|
||||
Wenn Sie eine Nachricht stillschweigend verwerfen wollen, erstellen oder bearbeiten Sie die Datei `data/conf/rspamd/override.d/worker-proxy.custom.inc` und fĂĽgen Sie den folgenden Inhalt hinzu:
|
||||
|
|
|
@ -149,40 +149,6 @@ GLOBAL_RCPT_BL {
|
|||
|
||||
3. Save the file and restart Rspamd: `docker-compose restart rspamd-mailcow`.
|
||||
|
||||
## Whitelist specific ClamAV signatures
|
||||
|
||||
You may find that legitimate (clean) mail is being blocked by ClamAV (Rspamd will flag the mail with `VIRUS_FOUND`). For instance, interactive PDF form attachments are blocked by default because the embedded Javascript code may be used for nefarious purposes. Confirm by looking at the clamd logs, e.g.:
|
||||
|
||||
```bash
|
||||
docker-compose logs clamd-mailcow | grep "FOUND"
|
||||
```
|
||||
|
||||
This line confirms that such was identified:
|
||||
|
||||
```text
|
||||
clamd-mailcow_1 | Sat Sep 28 07:43:24 2019 -> instream(local): PUA.Pdf.Trojan.EmbeddedJavaScript-1(e887d2ac324ce90750768b86b63d0749:363325) FOUND
|
||||
```
|
||||
|
||||
To whitelist this particular signature (and enable sending this type of file attached), add it to the ClamAV signature whitelist file:
|
||||
|
||||
```bash
|
||||
echo 'PUA.Pdf.Trojan.EmbeddedJavaScript-1' >> data/conf/clamav/whitelist.ign2
|
||||
```
|
||||
|
||||
Then restart the clamd-mailcow service container in the mailcow UI or using docker-compose:
|
||||
|
||||
```bash
|
||||
docker-compose restart clamd-mailcow
|
||||
```
|
||||
|
||||
Cleanup cached ClamAV results in Redis:
|
||||
|
||||
```
|
||||
# docker-compose exec redis-mailcow /bin/sh
|
||||
/data # redis-cli KEYS rs_cl* | xargs redis-cli DEL
|
||||
/data # exit
|
||||
```
|
||||
|
||||
## Discard instead of reject
|
||||
|
||||
If you want to silently drop a message, create or edit the file `data/conf/rspamd/override.d/worker-proxy.custom.inc` and add the following content:
|
||||
|
|
|
@ -123,6 +123,9 @@ nav:
|
|||
- 'Thresholds': 'manual-guides/Watchdog/u_e-watchdog-thresholds.md'
|
||||
- 'Redis': 'manual-guides/Redis/u_e-redis.md'
|
||||
- 'Rspamd': 'manual-guides/Rspamd/u_e-rspamd.md'
|
||||
- 'ClamAV':
|
||||
- 'Whitelist': 'manual-guides/ClamAV/u_e-clamav-whitelist.md'
|
||||
- 'Additional Databases': 'manual-guides/ClamAV/u_e-clamav-additional_dbs.md'
|
||||
- 'SOGo': 'manual-guides/SOGo/u_e-sogo.md'
|
||||
- 'Docker':
|
||||
- 'Customize Dockerfiles': 'manual-guides/Docker/u_e-docker-cust_dockerfiles.md'
|
||||
|
@ -235,6 +238,8 @@ plugins:
|
|||
'Custom sites': 'Benutzerdefinierte Seiten'
|
||||
### Watchdog Subsection
|
||||
'Thresholds': 'Thresholds'
|
||||
### ClamAV Subsection
|
||||
'Additional Databases': 'Weitere Datenbanken'
|
||||
### Docker Subsection
|
||||
'Customize Dockerfiles': 'Dockerfiles anpassen'
|
||||
'Why unbound?': 'Warum unbound?'
|
||||
|
|
Laden …
In neuem Issue referenzieren