[Mimedefang] patches/support of off-server clamd implimentation?
Michiel Brandenburg
apex at xepa.nl
Wed Apr 21 14:31:22 EDT 2010
On 21-4-2010 19:34, Tom Brown wrote:
> clamd seems to be getting increasingly memory intensive. The default
> mimedefang clamd support wants to talk to a clamd daemon on the local
> machine, but I'm beginning to think that I'd rather run clamd on ONE box
> and have MD connect to it. I still have a few small servers around that
> only have 512 Meg of ram and having clamd eat half of it is not very nice.
>
> AFAICS, the current Mimedefang code is UNIX socket specific
> (entity_contains_virus_clamd and message_contains_virus_clamd)
>
> my $sock = IO::Socket::UNIX->new(Peer => $clamd_sock);
> if (defined $sock) {
There are a few problems with running clamav on another server. The
daemon wants to talk a kind of ftp like protocol making this protocol
totally unsuitable for load balancers, firewalls, nat and the likes.
Fortunately the people from clamav have finally decided to do something
about it. They have introduced a new scan command called 'INSTREAM'
with this command (and a certain syntax) it is possible to use one
connection (instead of an ftp like connection) to communicate with an
offserver scanner.
I have it working like this. Make sure that you run the clamav daemon on
a socket / port combination and make sure it supports the INSTREAM
command. I kinda forgot in which version it was introduced.
Get a hold of the ClamAV::Client perl package and extend it with the
instream command. The client package did not have this command yet :(
the instream command works something like this.
writeToClamAV("zINSTREAM\0");
while( read a 4k block, or less ) {
writeToClamAV( pack('N', length($block)) . $block )'
}
# signal we are done
writeToClamAV(pack('N',0));
readFromClamAV();
There are some gotcha's I did not fix, but worked around it, if your
blocksize is too large clamav will close the connection, so make sure
you are still connected to clamav before each write.
It works like a charm, next stage load balance it all.
--
Michiel Brandenburg
More information about the MIMEDefang
mailing list