A word of warning. The described features of Domino 12.0.2 EAP are subject to change in later code drops.
The described configuration of ClamAV & ICAP is NOT intended to be used in production. I take no responsibility for any damage or data loss caused by using the configuration on test or production systems.
A new feature “Virus scanning for message attachments” has been added to Domino 12.0.2 EAP. You can set up HCL Domino to work with any virus scanning server that supports the ICAP protocol to scan attachments in mail messages for viruses. In addition to Domino 12.0.2 , you need a third-party ICAP protocol server to do the virus scanning. Domino has been tested with the products Trend Micro Web Security and McAfee Web Gateway. TLS is required in Domino 12.0.2 GA to connect to the server, but it is disabled by now.
Prerequisites
The installation uses CentOS 8 Stream. The minimum installation was chosen for the software selection. All required packages are installed later via dnf.
For my tests, I have set SELinux to permissive as described here: https://linuxize.com/post/how-to-disable-selinux-on-centos-8/
We need to download and configure some files during the setup. This can be down using VI or any other text editor. I prefer NANO.
dnf -y install nano wget
Next, we install an additional repository
dnf -y install epel-release
Install ClamAV, freshclam and clamd
and install ClamAV and related services.
dnf --enablerepo=epel -y install clamav clamd clamav-update
Run
freshclam
to initialize or update the virus signature databases.
For a scheduled update, we will run freshclam as service. create a new file ( nano will create an empty file, if it does not exists.)
nano /usr/lib/systemd/system/freshclam.service
and add the following content to it
[Unit] Description = ClamAV Scanner After = network.target [Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 1 Restart = on-failure PrivateTmp =true [Install] WantedBy=multi-user.target
Save and close the file. Then start the freshclam service and enable it to start on server startup. freshclam will update the signatures once a day.
systemctl start freshclam systemctl enable freshclam Created symlink /etc/systemd/system/multi-user.target.wants/freshclam.service → /usr/lib/systemd/system/freshclam.service.
Check the freshclam status.
systemctl status freshclam
● freshclam.service - ClamAV Scanner
Loaded: loaded (/usr/lib/systemd/system/freshclam.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-05-31 07:07:48 CEST; 16s ago
Main PID: 1809 (freshclam)
Tasks: 1 (limit: 11344)
Memory: 2.2M
CGroup: /system.slice/freshclam.service
└─1809 /usr/bin/freshclam -d -c 1
May 31 07:07:48 localhost.localdomain systemd[1]: Starting ClamAV Scanner...
May 31 07:07:48 localhost.localdomain systemd[1]: Started ClamAV Scanner.
To configure Clamd edit the /etc/clamd.d/scan.conf
nano /etc/clamd.d/scan.conf
and enable / change the existing values
LogFile /var/log/clamd.scan PidFile /run/clamd.scan/clamd.pid TemporaryDirectory /var/tmp LocalSocket /run/clamd.scan/clamd.sock LocalSocketGroup root TCPSocket 3310 User root
then initialize the logfile with
touch /var/log/clamd.scan
Create a new file
nano /etc/tmpfiles.d/clamd.scan.conf
and add the following content
d /run/clamd.scan 0770 root root -
Next, start, enable and get the status of clamd.service
systemctl start clamd@scan
systemctl enable clamd@scan
systemctl status clamd@scan
[root@localhost ~]# systemctl status clamd@scan
● clamd@scan.service - clamd scanner (scan) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-05-31 06:41:23 CEST; 4s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 1727 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS)
Main PID: 1728 (clamd)
Tasks: 2 (limit: 11344)
Memory: 1.3G
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─1728 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
Install c-icap
dnf -y install gcc make
curl -L -O http://downloads.sourceforge.net/project/c-icap/c-icap/0.5.x/c_icap-0.5.10.tar.gz tar zxvf c_icap-0.5.10.tar.gz cd c_icap-0.5.10
We need to modify the source code to work with Domino 12.0.2 EAP1. this is subject to become obsolete in a future Domino code drop.
Find all occurrencies of “HTTP/1.0” in the source code. The mailscan task in Domino 12.0.2 expects “HTTP/1.1”.
grep -r -e “HTTP/1.0” *
You will get 3 matches in 2 source files.
info.c: ci_http_response_add_header(req, "HTTP/1.0 200 OK"); utils/c-icap-client.c: ci_headers_add(headers, "HTTP/1.0 200 OK"); utils/c-icap-client.c: snprintf(lbuf,1024, "%s %s HTTP/1.0", method, url);
Replace HTTP/1.0 with HTTP/1.1
sed -i 's/HTTP\/1.0/HTTP\/1.1/g' info.c sed -i 's/HTTP\/1.0/HTTP\/1.1/g' utils/c-icap-client.c
Run the following commands to build and install the binaries
./configure make make install cd cp /usr/local/etc/c-icap.conf /etc
Create a new file
nano /etc/tmpfiles.d/c-icap.conf
and add the following content
d /var/run/c-icap 0755 root root -
Create the c-icap service. Create a new file
nano /usr/lib/systemd/system/c-icap.service
and add the following content
[Unit] Description=c-icap service After=network.target [Service] Type=forking PIDFile=/var/run/c-icap/c-icap.pid ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf KillMode=process [Install] WantedBy=multi-user.target
Now you can start, enable and check the status of the c-icap service
systemctl start c-icap
systemctl enable c-icap
systemctl status c-icap
● c-icap.service - c-icap service
Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-05-31 07:25:30 CEST; 15s ago
Main PID: 7757 (c-icap)
Tasks: 37 (limit: 11344)
Memory: 2.3M
CGroup: /system.slice/c-icap.service
├─7757 /usr/local/bin/c-icap -f /etc/c-icap.conf
├─7758 /usr/local/bin/c-icap -f /etc/c-icap.conf
├─7759 /usr/local/bin/c-icap -f /etc/c-icap.conf
└─7760 /usr/local/bin/c-icap -f /etc/c-icap.conf
May 31 07:25:30 localhost.localdomain systemd[1]: Starting c-icap service...
May 31 07:25:30 localhost.localdomain systemd[1]: Started c-icap service.
Install squidclamav
curl -L -O http://downloads.sourceforge.net/project/squidclamav/squidclamav/7.1/squidclamav-7.1.tar.gz tar zxvf squidclamav-7.1.tar.gz cd squidclamav-7.1
As with c-icap, we need to modify the source code to work with Domino 12.0.2 EAP1.
grep -r -e "HTTP/1.0" * src/squidclamav.c: ci_http_response_add_header(req, "HTTP/1.0 403 Forbidden"); src/squidclamav.c: ci_http_response_add_header(req, "HTTP/1.0 307 Temporary Redirect"); sed -i 's/HTTP\/1.0/HTTP\/1.1/g' src/squidclamav.c
Build and deploy the binaries
./configure --with-c-icap make make install cd
Edit c-icap configuration
nano /etc/c-icap.conf
and add the squidclamav service after the existing echo service
Service squidclamav squidclamav.so
Create a symlink for the squidclamav configuration file
ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf
Edit /etc/squidclamav.conf and apply the changes
nano /etc/squidclamav.conf ## comment redirect (we don't need it here) #redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi ## change clamd_local /var/run/clamav/clamd.ctl to clamd_local /run/clamd.scan/clamd.sock
Restart c-icap
systemctl restart c-icap
Finally, we need to open port 1344 in the firewall
firewall-cmd --zone=public --add-port=1344/tcp --permanent firewall-cmd --reload
Congratulations! You now have a ICAP server that uses ClamAV to scan your attachments for viruses.
You can now use the ICAP server in your mailscan configuration in Domino 12.0.2. You’ll find information on how to configure mailscan in Domino 12.0.2 here
And last but not least, here is an example of a scanlog for the EICAR virus
I will update this post / write additional information during the Beta phase of Domino 12.0.2.
Thanks for the insights Ulrich