XMS Mail Server has a filter for pluging into the open source ClamAV virus scanner.
Use the ClamAV Documentation to install, and configure Clam AntiVirus on a server. Make sure ScanMail is enabled in the ClamAV configuration file, and also set TCPSocket 3310. Next make sure the clamd daemon is running.
![[Note]](images/note.png) | Note |
|---|---|
| You do not need to install ClamAV on the same server as your XMS Email Server. For best performance, and high availability you may wish to install ClamAV on multiple servers, see Load Balancing section for more info. | |
With clamd configured, and running on at least one server you can setup XMS mail server to scan email for viruses. This is done with the ClamAVFilter (xms.filter.data.ClamAVFilter)
Here is an example configuration:
<filter class="xms.filter.data.ClamAVFilter" primaryhosts="127.0.0.1" scanplain="false" secondaryhosts="10.0.0.10" />
Put the filter tag inside the service tag for the xms.transport.smtp.SMTPService service class.
The XMS ClamAV filter can balance virus scanning load across multiple ClamAV servers. This can be configured by placing multiple IP addresses in the primary hosts attribute. Each IP should be comma seperated.
primaryhosts="127.0.0.1,10.0.0.10,10.0.0.11,10.0.0.12"
XMS will distribute virus scanning to each host in the primary host lists. If a primary host goes down it is removed from the list and polled, if it comes back up it will be added to the primary host list again.
If all primary hosts are down, the secondary host list is used. These hosts are used only for failover if all primary hosts are down. They are configured with the secondaryhosts attribute:
secondaryhosts="10.0.0.20,10.0.0.21"
Every message scanned by ClamAV will have the header X-Virus-Scanned which might look something like this:
X-Virus-Scanned: ClamAV 0.84rc1/856/Wed Apr 27 03:00:37 2005
If a virus is found the message is silently discarded by the mail server. Note that bouncing the message is not a good idea, because often times viruses spoof from addresses. Additionally if your log level is set to Info or lower each virus will be logged, here's what the message may look like
Virus Found: From:"virusguy@getsomeviruses.com" To:"someone@yourcompany.com" IP:"12.34.56.78" \ ClamAV Version:"ClamAV 0.84rc1/856/Wed Apr 27 03:00:37 2005" ClamAV Response:"Worm.SomeFool.Gen-1 FOUND"