Add the clamav image and glue for it in provision of the amavis image

Changelog.md

@@ -18,7 +18,11 @@ This is a note for developers about the recommended tags to keep track of the ch
 Dates must be YEAR-MONTH-DAY
 -->
 
-## 2020-02-07 --
+## 2020-02-10
+
+- Added: clamav folder and integration in prevision of amavis image
+
+## 2020-02-07
 
 - Changed: Completed the first version of the documentation.
 

clamav/Dockerfile

@@ -0,0 +1,34 @@
+FROM ubuntu/focal
+
+LABEL maintainer="Pavel Milanes <pavelmc@gmail.com>"
+ENV REFRESHED_AT 2022-02-10
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y -qq \
+        clamav-daemon \
+        clamav-freshclam \
+        libclamunrar9 \
+        ca-certificates && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# permission juggling
+RUN mkdir /var/run/clamav && \
+    chown clamav:clamav /var/run/clamav /var/lib/clamav && \
+    chmod 750 /var/run/clamav /var/lib/clamav
+
+COPY clamav/ /etc/clamav/
+COPY docker-entrypoint.sh /
+COPY check.sh /
+
+RUN chown -R clamav:clamav /etc/clamav /docker-entrypoint.sh /check.sh
+RUN chmod +x /docker-entrypoint.sh /check.sh
+
+VOLUME ["/var/lib/clamav"]
+
+EXPOSE 3310
+
+USER clamav
+
+CMD ["/docker-entrypoint.sh"]

clamav/README.md

@@ -0,0 +1,17 @@
+# ClamAV (anti-virus) solution image
+
+This is the docker image that server the AV scanning to amavis processing
+
+## It's all about ENV vars
+
+See the sample `docker-compose.yml` file, it has almost all you need, but I will explain some details.
+
+- `CLAMAV_PROXY_SERVER`: If you use proxy, this is the hostname/ip, like this: 10.1.2.3
+- `CLAMAV_PROXY_PORT`: the port of the proxy server
+- `CLAMAV_ALTERNATE_MIRROR`: if you need/want to specify a local/alternate db mirror, this is the hostname (https and a valid cert is needed)
+
+## Important details
+
+- All interaction is via 3310/tcp port
+- There is a volume to preserve the AV dabatabase, see the dockerfile/composer
+- This image has a built in healthcheck, see the docker-compose.yml file for an example.

clamav/build.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker build ./ --tag=mailad/clamav

clamav/check.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$(echo PING | nc localhost 3310)" = "PONG" ]; then
+    echo "ping successful"
+else
+    echo 1>&2 "ping failed"
+    exit 1
+fi

clamav/clamav/clamd.conf

@@ -0,0 +1,83 @@
+LocalSocket /var/run/clamav/clamd.ctl
+FixStaleSocket true
+LocalSocketGroup clamav
+LocalSocketMode 666
+User clamav
+TCPSocket 3310
+ScanMail true
+ScanArchive true
+ArchiveBlockEncrypted false
+MaxDirectoryRecursion 15
+FollowDirectorySymlinks false
+FollowFileSymlinks false
+ReadTimeout 180
+MaxThreads 12
+MaxConnectionQueueLength 15
+LogSyslog false
+LogRotate true
+LogFacility LOG_LOCAL6
+LogClean false
+LogVerbose false
+PreludeEnable no
+PreludeAnalyzerName ClamAV
+DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
+SelfCheck 3600
+Foreground true
+Debug false
+ScanPE true
+MaxEmbeddedPE 10M
+ScanOLE2 true
+ScanPDF true
+ScanHTML true
+MaxHTMLNormalize 10M
+MaxHTMLNoTags 2M
+MaxScriptNormalize 5M
+MaxZipTypeRcg 1M
+ScanSWF true
+ExitOnOOM false
+LeaveTemporaryFiles false
+AlgorithmicDetection true
+ScanELF true
+IdleTimeout 30
+CrossFilesystems true
+PhishingSignatures true
+PhishingScanURLs true
+PhishingAlwaysBlockSSLMismatch false
+PhishingAlwaysBlockCloak false
+PartitionIntersection false
+DetectPUA false
+ScanPartialMessages false
+HeuristicScanPrecedence false
+StructuredDataDetection false
+CommandReadTimeout 30
+SendBufTimeout 200
+MaxQueue 100
+ExtendedDetectionInfo true
+OLE2BlockMacros false
+AllowAllMatchScan true
+ForceToDisk false
+DisableCertCheck yes
+DisableCache false
+MaxScanTime 120000
+MaxScanSize 100M
+MaxFileSize 25M
+MaxRecursion 16
+MaxFiles 10000
+MaxPartitions 50
+MaxIconsPE 100
+PCREMatchLimit 10000
+PCRERecMatchLimit 5000
+PCREMaxFileSize 25M
+ScanXMLDOCS true
+ScanHWP3 true
+MaxRecHWP3 16
+StreamMaxLength 25M
+#LogFile /dev/stdout
+LogTime true
+LogFileUnlock false
+LogFileMaxSize 0
+Bytecode true
+BytecodeSecurity TrustSigned
+BytecodeTimeout 60000
+OnAccessMaxFileSize 5M

clamav/clamav/freshclam.conf

@@ -0,0 +1,27 @@
+# Automatically created by the clamav-freshclam postinst
+# Comments will get lost when you reconfigure the clamav-freshclam package
+
+DatabaseOwner clamav
+#UpdateLogFile /dev/stdout
+LogVerbose false
+LogSyslog false
+LogFacility LOG_LOCAL6
+LogFileMaxSize 0
+LogRotate false
+LogTime true
+Foreground true
+Debug false
+MaxAttempts 5
+DatabaseDirectory /var/lib/clamav
+DNSDatabaseInfo current.cvd.clamav.net
+ConnectTimeout 30
+ReceiveTimeout 0
+TestDatabases yes
+ScriptedUpdates yes
+CompressLocalDatabase no
+Bytecode true
+NotifyClamd /etc/clamav/clamd.conf
+# Check for new database 24 times a day
+Checks 24
+DatabaseMirror db.local.clamav.net
+DatabaseMirror database.clamav.net

clamav/docker-compose.yml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+services:
+  clamav:
+    image: mailad/clamav
+    build: .
+    domainname: mailad.cu
+    hostname: clamav
+    healthcheck:
+        test: ["CMD", "./check.sh"]
+        interval: 60s
+        retries: 3
+        start_period: 120s
+    environment:
+      # CLAMAV_PROXY_SERVER: 10.1.2.3
+      # CLAMAV_PROXY_PORT: 3128
+      CLAMAV_ALTERNATE_MIRROR: clamav.ddns.net
+    ports:
+      - "3310:3310"
+    volumes:
+      - ../ldata/clamav:/var/lib/clamav

clamav/docker-entrypoint.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+set -m
+
+if [ ! -f /etc/clamav/configured ] ; then
+    if ! [ -z "${CLAMAV_PROXY_SERVER}" ]; then
+        echo "HTTPProxyServer ${CLAMAV_PROXY_SERVER}" >> /etc/clamav/freshclam.conf
+    fi
+
+    if ! [ -z "${CLAMAV_PROXY_PORT}" ]; then
+        echo "HTTPProxyPort ${CLAMAV_PROXY_PORT}" >> /etc/clamav/freshclam.conf
+    fi
+    # config alternate mirrors
+    if [ ! -z "${CLAMAV_ALTERNATE_MIRROR}" ]; then
+        sed -i s/"DatabaseMirror .*$"/""/g /etc/clamav/freshclam.conf
+        echo "DatabaseMirror ${CLAMAV_ALTERNATE_MIRROR}" >> /etc/clamav/freshclam.conf
+    fi
+
+    touch /etc/clamav/configured
+fi
+
+# fix perms if needed 
+chown clamav:clamav /var/lib/clamav
+chmod -R 0755 /var/lib/clamav/
+
+DB_DIR=$(sed -n 's/^DatabaseDirectory\s\(.*\)\s*$/\1/p' /etc/clamav/freshclam.conf )
+DB_DIR=${DB_DIR:-'/var/lib/clamav'}
+MAIN_FILE="$DB_DIR/main.cvd"
+
+# start of the magic
+/usr/bin/freshclam -d &
+echo -e "waiting for clam to update..."
+
+until [ -e ${MAIN_FILE} ] ; do
+    :
+done
+
+echo -e "starting clamd..."
+/usr/bin/clamd &
+
+# recognize PIDs
+pidlist=$(jobs -p)
+
+# initialize latest result var
+latest_exit=0
+
+# define shutdown helper
+function shutdown() {
+    trap "" SIGINT
+
+    for single in $pidlist; do
+        if ! kill -0 "$single" 2> /dev/null; then
+            wait "$single"
+            latest_exit=$?
+        fi
+    done
+
+    kill "$pidlist" 2> /dev/null
+}
+
+# run shutdown
+trap shutdown SIGINT
+wait -n
+
+# return received result
+exit $latest_exit

docker-compose.yml

@@ -84,9 +84,29 @@ services:
       - vmail:/home/vmail
       - certs:/certs
 
+  clamav:
+    image: mailad/clamav
+    build: ./clamav/
+    domainname: mailad.cu
+    hostname: clamav
+    healthcheck:
+        test: ["CMD", "./check.sh"]
+        interval: 60s
+        retries: 3
+        start_period: 120s
+    environment:
+      # CLAMAV_PROXY_SERVER: 10.1.2.3
+      # CLAMAV_PROXY_PORT: 3128
+      CLAMAV_ALTERNATE_MIRROR: clamav.ddns.net
+    ports:
+      - "3310"
+    volumes:
+      - clamav:/var/lib/clamav
+
 volumes:
   samba_var:
   samba_etc:
   certs:
   vmail:
   spool:
+  clamav: