~2 min read • Updated Jan 27, 2026
1. What is ClamAV?
ClamAV is an open‑source antivirus engine designed primarily for server environments. It is widely used in mail servers due to its ability to:
- Scan email attachments
- Detect viruses, trojans, malware, and phishing
- Operate efficiently with low resource usage
- Integrate easily with automated systems
ClamAV does not make decisions; it only scans and reports.
2. ClamAV’s Role in iRedMail Architecture
Internet ↓ Postfix ↓ Amavis ↓ ClamAV ← (Virus Scan) ↓ SpamAssassin ← (Spam Score) ↓ Mailbox (Dovecot)
ClamAV communicates directly only with Amavis.
3. Core Components of ClamAV
3.1 clamd
- Main scanning daemon
- Handles scan requests from Amavis
3.2 freshclam
- Updates virus signatures
- Critical for maintaining security
4. How ClamAV Connects to iRedMail
In iRedMail, Amavis connects to ClamAV via a Unix socket.
Typical socket path:
/run/clamav/clamd.ctl
Example configuration inside Amavis:
['ClamAV-clamd',
'\&ask_daemon',
["CONTSCAN {}\n", "/run/clamav/clamd.ctl"],
qr/\bOK$/m,
qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
5. Important ClamAV Paths
| Path | Description |
|---|---|
| /etc/clamav/ | Main configuration directory |
| clamd.conf | Daemon configuration |
| freshclam.conf | Signature update configuration |
| /var/lib/clamav/ | Signature database |
| /run/clamav/ | Socket directory |
6. Key clamd.conf Settings
6.1 Enable Socket
LocalSocket /run/clamav/clamd.ctl LocalSocketMode 666
6.2 Performance Tuning
MaxThreads 12 StreamMaxLength 50M
Adjust values based on server RAM and workload.
7. Signature Updates (freshclam)
Check status:
systemctl status clamav-freshclam
Manual update:
freshclam
If signatures are outdated, ClamAV becomes ineffective.
8. Testing ClamAV
EICAR Standard Test File:
Place this text in a file:
X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Send it via email → It must be blocked and logged as “FOUND”.
9. Logs & Debugging
Log location:
/var/log/maillog
Search for ClamAV entries:
grep -i clamav /var/log/maillog
10. ClamAV Behavior in iRedMail
| Status | Result |
|---|---|
| Virus detected | Reject / Quarantine |
| clamd down | Fail‑open (default) |
| Outdated signatures | High security risk |
Fail‑open is recommended to avoid blocking clean emails.
11. Common Issues
High CPU usage
- MaxThreads too high
- Large attachments
No such file socket
- clamd not running
- Incorrect permissions
freshclam not working
- DNS issues
- Mirror blocked
12. Hardening & Best Practices
- Use Unix socket instead of TCP
- Set proper resource limits
- Monitor freshclam regularly
- Back up configuration files
Conclusion
ClamAV is a critical security layer in iRedMail. It works behind Amavis to detect malicious attachments and prevent infected messages from reaching users. Without frequent signature updates, ClamAV loses its effectiveness. With proper configuration and monitoring, ClamAV ensures strong protection with excellent performance.
Written & researched by Dr. Shahin Siami